
<!doctype html>
<html lang="en-US">
  <head>
  <meta charset="utf-8">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="apple-touch-icon" sizes="180x180" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-180x180.png">
	<link rel="icon" type="image/png" sizes="32x32" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-32x32.png">
	<link rel="icon" type="image/png" sizes="16x16" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/icon-Unit42-16x16.png">
	<link rel="manifest" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/site.webmanifest">
	<link rel="mask-icon" href="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/favicon/safari-pinned-tab.svg" color="#000000">
	<meta name="msapplication-TileColor" content="#000000">
	<meta name="theme-color" content="#000">
        <script type="text/javascript">
var main_site_url = 'https://www.paloaltonetworks.com';
var maindomain_lang = 'https://www.paloaltonetworks.com';
function getParameterByName(name, url) {
		if(url == null){
		  url = window.location.href;
		}
	    name = name.replace(/[\[\]]/g, '\\$&');
	    var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'),
		results = regex.exec(url);
	    if (!results) return null;
	    if (!results[2]) return '';
	    return decodeURIComponent(results[2].replace(/\+/g, ' '));
	}
	var container_q = getParameterByName('container');
	var d_lang = 'en';	
	if(container_q != '' && container_q != null){	    
	    sessionStorage.setItem('container',container_q);
	    	    location.href = 'https://unit42.paloaltonetworks.com/alloy-taurus';
	}
</script>
<style type="text/css">
@font-face{font-family:'Merriweather';font-style:normal;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot');src:local('Merriweather Light'),local('Merriweather-Light'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:300;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot');src:local('Merriweather Light Italic'),local('Merriweather-LightItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-300italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot');src:local('Merriweather Regular'),local('Merriweather-Regular'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-regular.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:400;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot');src:local('Merriweather Italic'),local('Merriweather-Italic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-italic.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:normal;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot');src:local('Merriweather Bold'),local('Merriweather-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700.svg#Merriweather') format('svg')}
@font-face{font-family:'Merriweather';font-style:italic;font-weight:700;font-display:swap;src:url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot');src:local('Merriweather Bold Italic'),local('Merriweather-BoldItalic'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.eot?#iefix') format('embedded-opentype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.ttf') format('truetype'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/merriweather/merriweather-v21-latin-700italic.svg#Merriweather') format('svg')}


@font-face{font-family:'Decimal';font-style:normal;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Medium-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:500;font-display:swap;src:local('Decimal Medium'),local('Decimal-Medium'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-MediumItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Semibold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:600;font-display:swap;src:local('Decimal SemiBold'),local('Decimal-SemiBold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-SemiboldItalic-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:normal;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-Bold-Pro.otf') format('opentype')}
@font-face{font-family:'Decimal';font-style:italic;font-weight:700;font-display:swap;src:local('Decimal Bold'),local('Decimal-Bold'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff2') format('woff2'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro_Web.woff') format('woff'),url('https://www.paloaltonetworks.com/etc/clientlibs/clean/dependencies/fonts/decimal/Decimal-BoldItalic-Pro.otf') format('opentype')}    

.nav {
    display: flex;
    flex-wrap: wrap;
    padding-left: 0;
    margin-bottom: 0;
    list-style: none;
}
dl, ol, ul {
    margin-top: 0;
    margin-bottom: 1rem;
}
.nav-link {
    display: block;
    padding: .5rem 1rem;
}
.productNav2021Component .btn {
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
    font-weight: 600;
    color: #141414;
    text-align: center;
    vertical-align: middle;
    user-select: none;
    background-color: transparent;
    border: 2px solid transparent;
    border-radius: 50px;
    transition: box-shadow .15s ease-in-out;
}

.productNav2021Component .btn-primary{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background-color: #fa582d;
    color: #141414;
    position: relative;
}
.productNav2021Component .btn-primary.focus,.productNav2021Component  .btn-primary:focus{
    color: #141414;
    border-color: #00c0e8;
}
.productNav2021Component .btn-primary:hover, .productNav2021Component .btn-primary-outline:hover,  .productNav2021Component .btn-black:hover, .productNav2021Component .btn-white:hover {
    background-color: #fb7652;
}
.productNav2021Component .btn{
    height:auto;
}
.productNav2021Component .btn:hover {
    color: #141414;
    text-decoration: none;
    border-color: transparent;
}
.productNav2021Component .btn-dark,.productNav2021Component .btn-outline-dark{
    display: inline-flex;
    align-items: center;
    text-decoration: none;
    max-width: 100%;
    text-align: left;
    background: 0;
    color: #fff;
    position: relative;
}
.productNav2021Component .btn-dark i, .productNav2021Component .btn-outline-dark i {
    width: 20px;
    height: 20px;
    margin-left: 15px;
    flex-grow: 0;
    flex-shrink: 0;
    display: inline-block;
    background-size: contain;
    background-position: center;
    background-repeat: no-repeat;
    background-image: url('https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg');
}
.productNav2021Component .btn-dark:hover{
    color: #999;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active,.productNav2021Component .btn-dark:hover{
    background-color: transparent;
    border-color: transparent;
}
.productNav2021Component .btn-dark:not(:disabled):not(.disabled):active:focus{
    box-shadow: none;
}
.productNav2021Component .display-2{
    font-family: Merriweather,Georgia,serif;
    font-weight: 400;
    color: #5f5f5f;
    font-size: 14px;
    line-height: 24px;
} 
.panClean .ar-1-1 img,.panClean .ar-4-3 img,.panClean .ar-3-2 img,.panClean .ar-3-4 img,.panClean .ar-12-17 img,.panClean .ar-16-7 img,.panClean .ar-16-9 img{
    position:absolute;
    width:100%;
    height:100%;
    object-fit:contain;
    font-family:'object-fit: contain;'
}
.panClean .ar-3-2{padding-bottom:66.6666667%}
.panClean .ar-1-1,.panClean .ar-4-3,.panClean .ar-3-2,.panClean .ar-3-4,.panClean .ar-12-17,.panClean .ar-16-7,.panClean .ar-16-9{display:inline-block;width:100%;height:0;overflow:hidden;position:relative;margin:0}
.panClean .ar-16-9{padding-bottom:52.25%}
.panClean .ar-3-4{padding-bottom:133.3333333%}
.productNav2021Component .container,.productNav2021Component .container-fluid,.productNav2021Component .container-sm,.productNav2021Component .container-md,.productNav2021Component .container-lg,.productNav2021Component .container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}

/** [Start] custom css, not copied from main site **/
.productNav2021Component a, button, input[type=reset], input[type=submit]{
    transition: none;
}
.panClean .productNav2021Component .prisma-2021-nav-main .btn.btn-primary {
    height: auto;
}
.pan-search-coveo-header .magic-box-clear{
    display: block!important;
}
.no-scroll{overflow:hidden !important}
/** [End] custom css, not copied from main site **/
@media (min-width: 576px){
.productNav2021Component .container-fluid {
    width: auto;
    margin-left: 7.14285714%;
    margin-right: 7.14285714%;
}
}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}}
@media(min-width:768px){.productNav2021Component .btn{padding:13px 24px;font-size:16px;line-height:20px}
.productNav2021Component .btn-light,.productNav2021Component .btn-dark{padding-left:0;padding-right:0}
.productNav2021Component .btn-link{padding:5px 0}
.productNav2021Component .btn-lg,.productNav2021Component .btn-group-lg>.btn{padding:20px 40px;font-size:18px}
.productNav2021Component .btn-sm,.productNav2021Component .btn-group-sm>.btn{padding:10px 20px;font-size:14px}
}
@media(max-width:767.98px){.productNav2021Component .btn{padding:10px 20px;font-size:14px;line-height:18px;}}
@media(max-width:767.98px){
    .productNav2021Component .btn-dark{padding-left:0;padding-right:0}
}    
.wpp-meta {
    display: none !important;
}
</style>   
<link rel='stylesheet'  href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css' type='text/css' media='all' />
<!--<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc/clientlibs/clean/panClean/prisma/defered.min.css' media='all' />-->
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css' media='all' />
<link rel='stylesheet' href='https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css' media='all' />
    <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />
<link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/alloy-taurus/" />
<link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/alloy-taurus/" />
<link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/alloy-taurus/" />

	<!-- This site is optimized with the Yoast SEO Premium plugin v19.6 (Yoast SEO v19.13) - https://yoast.com/wordpress/plugins/seo/ -->
	<title>Chinese Alloy Taurus Updates PingPull Malware</title>
	<meta name="description" content="A PingPull malware variant for Linux has been found. We’re also tracking a new backdoor attributed to Alloy Taurus called Sword2033." />
	<link rel="canonical" href="https://unit42.paloaltonetworks.com/alloy-taurus/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="Chinese Alloy Taurus Updates PingPull Malware" />
	<meta property="og:description" content="A PingPull malware variant for Linux has been found. We’re also tracking a new backdoor attributed to Alloy Taurus called Sword2033." />
	<meta property="og:url" content="https://unit42.paloaltonetworks.com/alloy-taurus/" />
	<meta property="og:site_name" content="Unit 42" />
	<meta property="article:published_time" content="2023-04-26T10:00:34+00:00" />
	<meta property="article:modified_time" content="2023-04-26T13:27:14+00:00" />
	<meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/04/PA-Unit42-TAC-AlloyTAURUS_-Landscape.jpg" />
	<meta property="og:image:width" content="1505" />
	<meta property="og:image:height" content="922" />
	<meta property="og:image:type" content="image/jpeg" />
	<meta name="author" content="Unit 42" />
	<meta name="twitter:card" content="summary_large_image" />
	<!-- / Yoast SEO Premium plugin. -->


<link rel='dns-prefetch' href='//www.google.com' />
<link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Chinese Alloy Taurus Updates PingPull Malware Comments Feed" href="https://unit42.paloaltonetworks.com/alloy-taurus/feed/" />
<script type="text/javascript">
var globalConfig = {};
globalConfig.buildName = "UniqueResourceAssetsID_DEC022022";
</script>
<meta property="og:likes" content="2"/>
<meta property="og:readtime" content="6"/>
<meta property="og:views" content="4,870"/>
<meta property="og:date_created" content="April 26, 2023 at 3:00 AM"/>
<meta property="og:post_length" content="1648"/>
<meta property="og:category" content="Malware"/>
<meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware-2/"/>
<meta property="og:author" content="Unit 42"/>
<meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/unit42/"/>
<meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/>
<meta name="post_tags" content="Advanced URL Filtering,Alloy Taurus,APT,China Chopper,Cortex XDR,Cortex XSIAM,Cortex XSOAR,DNS security,GALLIUM,next-generation firewall,PingPull,WildFire"/>
<meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/04/PA-Unit42-TAC-AlloyTAURUS_-Landscape.jpg"/>
<script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"Chinese Alloy Taurus Updates PingPull Malware","name":"Chinese Alloy Taurus Updates PingPull Malware","description":"A PingPull malware variant for Linux has been found. We\u2019re also tracking a new backdoor attributed to Alloy Taurus called Sword2033.","url":"https:\/\/unit42.paloaltonetworks.com\/alloy-taurus\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/alloy-taurus\/","datePublished":"April 26, 2023","articleBody":"Executive Summary\r\nUnit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.\r\n\r\nThe first samples of PingPull malware date back to September 2021. Monitoring its use across several campaigns, in June 2022 Unit 42 published research outlining the functionality of PingPull and attributed the use of the tool to Alloy Taurus.\r\n\r\nOperating since at least 2012, Alloy Taurus (aka GALLIUM, Softcell) is assessed to be a Chinese advanced persistent threat (APT) group that routinely conducts cyberespionage campaigns. This group has historically targeted telecommunications companies operating across Asia, Europe and Africa. In recent years we have also observed the group expand their targeting to include financial institutions and government entities.\r\n\r\nWe provide a detailed breakdown of the following:\r\n\r\n \tA new variant of PingPull\r\n \tSword2033 samples linked to the same command and control (C2) infrastructure\r\n \tRecent activity by Alloy Taurus in South Africa and Nepal\r\n\r\nPalo Alto Networks customers receive protections from the threats described in this blog through Cortex XDR and WildFire malware analysis. The Advanced URL Filtering and DNS Security Cloud-Delivered Security Services can help protect against C2 infrastructure.\r\n\r\n\r\n\r\nRelated Unit 42 Topics\r\nAlloy Taurus, PingPull, Advanced Persistent Threat\r\n\r\n\r\n\r\nTable of Contents\r\nPingPull Linux Variant\r\nSword2033 Backdoor\r\nInfrastructure Analysis\r\nConclusion\r\nProtections and Mitigations\r\nIndicators of Compromise\r\nAdditional Resources\r\nPingPull Linux Variant\r\nOn March 7, 2023, the following sample was uploaded to VirusTotal.\r\n\r\n\r\n\r\nFilename\r\nnztloader\r\n\r\n\r\nFiletype\r\nELF\r\n\r\n\r\nSHA256\r\ncb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae\r\n\r\n\r\n\r\nTable 1. PingPull sample file details.\r\nAt the time of writing, three out of 62 vendors found the sample to be malicious. Despite a largely benign verdict, additional analysis has determined that this sample is a Linux variant of PingPull malware. This determination was made based on matching HTTP communication structure, POST parameters, AES key, and C2 commands, which are outlined below.\r\n\r\nUpon execution, this sample is configured to communicate with the domain yrhsywu2009.zapto[.]org over port 8443 for C2. It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over HTTPS via the following HTTP POST request:\r\n\r\n[caption id=\"attachment_127900\" align=\"aligncenter\" width=\"600\"] Figure 1. PingPull Linux variant POST request.[\/caption]\r\n\r\nThe payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. This is the same key that we previously observed in the original Windows PE variant of PingPull.\r\n\r\nOnce decoded, the cleartext resembles HTTP parameters and the payload will parse the cleartext for &amp; and = with the following parameters:\r\n\r\n[caption id=\"attachment_127902\" align=\"aligncenter\" width=\"600\"] Figure 2. PingPull HTTP parameters.[\/caption]\r\n\r\nThe value in the P29456789A1234sS parameter will contain a single upper case character between A and K, as well as M, which the payload will use as the command value. The values in the z0, z1 and z2 parameters are used for the arguments passed to the command.\r\n\r\nAfter running the command, the payload will send the results back to the C2 server via an HTTPS request that resembles the beacon request, but contains Base64 encoded ciphertext. The command handler supports the following functionality that aligns with both China Chopper capabilities and those observed in the PingPull Windows PE variant:\r\n\r\n\r\n\r\nCmd\r\nDescription\r\n\r\n\r\nA\r\nGet the current directory\r\n\r\n\r\nB\r\nList folder\r\n\r\n\r\nC\r\nRead text file\r\n\r\n\r\nD\r\nWrite text file\r\n\r\n\r\nE\r\nDelete file or folder\r\n\r\n\r\nF\r\nRead binary file, convert to hex\r\n\r\n\r\nG\r\nWrite binary file, convert to hex\r\n\r\n\r\nH\r\nCopy file or folder\r\n\r\n\r\nI\r\nRename file\r\n\r\n\r\nJ\r\nCreate Directory\r\n\r\n\r\nK\r\nTimestomp file with specified timestamp in \"%04d-%d-%d %d:%d:%d\" format\r\n\r\n\r\nM\r\nRun command\r\n\r\n\r\n\r\nTable 2. PingPull command handler functionality.\r\nOf note, the HTTP parameters z0, z1 and z2 and command handlers A-K, M also align to commands A-K, M observed in the web shell China Chopper. This suggests that Alloy Taurus is using code they might be familiar with, and they are integrating it into the development of custom tooling.\r\nSword2033 Backdoor\r\nPivoting on the C2 domain, we identified one additional sample that also communicated with yrhsywu2009.zapto[.]org:\r\n\r\n\r\n\r\nSword2033 Sample 1\r\n\r\n\r\nFilename\r\nzimbra\r\n\r\n\r\nFiletype\r\nELF\r\n\r\n\r\nSHA256\r\n5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507\r\n\r\n\r\n\r\nTable 3. Related Sword2033 sample file details.\r\nSimilar to the PingPull variant above, this sample was designed to connect to port 8443 over HTTPS. However, analysis of the sample revealed that it\u2019s a simple backdoor that we track as Sword2033. This backdoor supports three basic functions:\r\n\r\n\r\n\r\nCmd\r\nDescription\r\n\r\n\r\n#up\r\nUploads a file to the system\r\n\r\n\r\n#dn\r\nDownloads a file from the system\r\n\r\n\r\nexc \/c:\r\nExecutes a command, but appends ;echo &lt;random number&gt;\\n before running it\r\n\r\n\r\n\r\nTable 4. Sword2033 command handler functionality.\r\nThese three commands map to commands in a second command handler that uses A, C, D and M commands, which are identical in value and functionality with the PingPull commands identified in Table 2 above.\r\n\r\nSearching for other recent samples of Sword2033, we identified a second sample:\r\n\r\n\r\n\r\nSword2033 Sample 2\r\n\r\n\r\nFilename\r\nHopke\r\n\r\n\r\nFiletype\r\nELF\r\n\r\n\r\nSHA256\r\ne39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253\r\n\r\n\r\n\r\nTable 5. Additional Sword2033 sample file details.\r\nThis sample was seen in July 2022. Analysis of this sample revealed that it\u2019s configured to connect to 196.216.136[.]139, located in South Africa, for C2.\r\nInfrastructure Analysis\r\nAnalysis of the C2 domain yrhsywu2009.zapto[.]org found in the PingPull Linux variant and the first Sword2033 sample shows it was most recently hosted on 5.181.25[.]99 until early February 2023. However, a historical review of its hosting revealed that this domain resolved to 45.251.241[.]82 for a single day in April 2022. This IP was outlined as an active indicator of compromise (IoC) in our June 2022 report, thereby drawing a clear link to Alloy Taurus activities.\r\n\r\nAnalysis of the C2 for the second Sword2033 sample (Hopke, referenced in Table 5) found that the domain *.saspecialforces.co[.]za resolved to 196.216.136[.]139. This domain has been hosted on eight other IPs throughout its history with various mail-related subdomains.\r\n\r\nNone of these IPs appear to have any affiliation with the South African government, but the domain name gives the impression of a connection to the South African military. The establishment of a C2 server that appears to impersonate the South African military is uniquely notable when analyzed in the context of recent events. In February 2023, South Africa joined Russia and China to participate in combined naval exercises.\r\n\r\nAdditionally, 196.216.136[.]139 resolved to vpn729380678.softether[.]net from late December 2022 through mid-February 2023. Alloy Taurus is known for leveraging the SoftEther VPN service in their operations to facilitate access and maintain persistence to their targeted network.\r\n\r\nThreat actors often abuse, take advantage of or subvert legitimate products like SoftEther VPN for malicious purposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused.\r\n\r\n[caption id=\"attachment_127904\" align=\"aligncenter\" width=\"900\"] Figure 3. PingPull\/Sword2033 infrastructure visualization.[\/caption]\r\n\r\nReviewing traffic to the Sword2033 C2 server 196.216.136[.]139, we identified sustained connections originating from an IP that hosts several subdomains for an organization that finances long-term urban infrastructure development projects in Nepal.\r\nConclusion\r\nAlloy Taurus remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa. The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities. We encourage all organizations to leverage our findings to inform the deployment of protective measures to defend against this threat group.\r\n\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nProtections and Mitigations\r\nIn order to defend against the threats described in this blog, Palo Alto Networks recommends organizations employ the following capabilities:\r\n\r\n \tNetwork Security: Delivered through a Next-Generation Firewall (NGFW) configured with machine learning enabled, and best-in-class, cloud-delivered security services. This includes, for example, threat prevention, URL filtering, DNS security and a malware prevention engine capable of identifying and blocking malicious samples and infrastructure.\r\n \tEndpoint Security: Delivered through an XDR solution that is capable of identifying malicious code through the use of advanced machine learning and behavioral analytics. This solution should be configured to act on and block threats in real time as they are identified.\r\n \tSecurity Automation: Delivered through an XSOAR or XSIAM solution capable of providing SOC analysts with a comprehensive understanding of the threat derived by stitching together data obtained from endpoints, network, cloud and identity systems.\r\n\r\nSpecific Product Protections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this group:\r\n\r\n \tWildFire\u00a0cloud-based threat analysis service accurately identifies the malware described in this blog as malicious.\r\n \tAdvanced URL Filtering\u00a0and\u00a0DNS Security\u00a0identify domains associated with Alloy Taurus as malicious.\r\n \tCortex XDR prevents the execution of known malware samples as malicious.\r\n\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:\r\n\r\n \tNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\n \tEMEA: +31.20.299.3130\r\n \tAPAC: +65.6983.8730\r\n \tJapan: +81.50.1790.0200\r\n\r\nIndicators of Compromise\r\nPingPull Linux Variant\r\n\r\n \tcb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae\r\n\r\nSword2033\r\n\r\n \t5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507\r\n \te39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253\r\n\r\nAlloy Taurus Infrastructure\r\n\r\n \tyrhsywu2009.zapto[.]org\r\n \t*.saspecialforces.co[.]za\r\n \tvpn729380678.softether[.]net\r\n \t5.181.25[.]99\r\n \t196.216.136[.]139\r\n\r\nAdditional Resources\r\n\r\n \tGALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool, Unit 42, Palo Alto Networks\r\n \tGALLIUM, MITRE\r\n \tOperation Soft Cell: A Worldwide Campaign Against Telecommunications Provider, CyberReason\r\n \tGALLIUM: Targeting global telecom, Microsoft Threat Intelligence Center (MSTIC)\r\n","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2023\/04\/PA-Unit42-TAC-AlloyTAURUS_-Landscape.jpg","width":150,"height":92},"author":[{"@type":"Person","name":"Unit 42"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/dist/block-library/style.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='classic-theme-styles-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/classic-themes.min.css?ver=1' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel='stylesheet' id='dashicons-css' href='https://unit42.paloaltonetworks.com/wp-includes/css/dashicons.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.3.12' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/css/frontend.min.css?ver=4.4.1' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-flatpickr-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.css?ver=4.4.1' type='text/css' media='all' />
<link rel='stylesheet' id='ppress-select2-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-horizontal-list-0-css' href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-list-horizontal/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='//unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' type='text/css' media='all' />
<link rel='stylesheet' id='wordpress-popular-posts-css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/css/wpp.css?ver=5.5.1' type='text/css' media='all' />
<link rel='stylesheet' id='unit42/css-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/styles/main.css?v2' type='text/css' media='all' />
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.1' id='jquery-core-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<script type='text/javascript' id='crayon_js-js-extra'>
/* <![CDATA[ */
var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""};
var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta' id='crayon_js-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/flatpickr/flatpickr.min.js?ver=4.4.1' id='ppress-flatpickr-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/select2/select2.min.js?ver=4.4.1' id='ppress-select2-js'></script>
<script type='application/json' id='wpp-json'>
{"sampling_active":0,"sampling_rate":100,"ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts\/v1\/popular-posts","api_url":"https:\/\/unit42.paloaltonetworks.com\/wp-json\/wordpress-popular-posts","ID":127879,"token":"a3ed8369d1","lang":0,"debug":0}
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wordpress-popular-posts/assets/js/wpp.min.js?ver=5.5.1' id='wpp-js-js'></script>
<script type='text/javascript' id='wpml-xdomain-data-js-extra'>
/* <![CDATA[ */
var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.5.14' id='wpml-xdomain-data-js'></script>
<link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/127879" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://unit42.paloaltonetworks.com/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 6.1.1" />
<link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=127879' />
<link rel="alternate" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Falloy-taurus%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Falloy-taurus%2F&#038;format=xml" />
<meta name="generator" content="WPML ver:4.5.14 stt:1,28;" />
<meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;} #wpdevart_lb_information_content{
				 -webkit-transition: opacity 0.3s ease;
				 -moz-transition: opacity 0.3s ease;
				 -o-transition: opacity 0.3s ease;
				 transition: opacity 0.3s ease;}
		#wpdevart_lb_information_content{
			width:100%;	
			padding-top:0px;
			padding-bottom:0px;
		}
		#wpdevart_info_counter_of_imgs{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_caption{
			    display: inline-block;
				padding-left:15px;
				padding-right:4px;
				font-size:20px;
				color:#000000;
		}
		#wpdevart_info_title{
			    display: inline-block;
				padding-left:5px;
				padding-right:5px;
				font-size:15px;
				color:#000000;
		}
		@-webkit-keyframes rotate {
			to   {-webkit-transform: rotate(360deg);}
			from  {-webkit-transform: rotate(0deg);}
		}
		@keyframes rotate {
			to   {transform: rotate(360deg);}
			from  {transform: rotate(0deg);}
		}
		#wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{
			-webkit-animation: rotate 2s linear  infinite;
    		animation: rotate 2s linear infinite;
		}
	  </style>                  <style id="wpp-loading-animation-styles">@-webkit-keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}@keyframes bgslide{from{background-position-x:0}to{background-position-x:-200%}}.wpp-widget-placeholder,.wpp-widget-block-placeholder{margin:0 auto;width:60px;height:3px;background:#dd3737;background:linear-gradient(90deg,#dd3737 0%,#571313 10%,#dd3737 100%);background-size:200% auto;border-radius:3px;-webkit-animation:bgslide 1s infinite linear;animation:bgslide 1s infinite linear}</style>
              <script>var $ = jQuery;</script>
  
  
<script type="text/javascript">
;(function(win, doc, style, timeout) {
var STYLE_ID = 'at-body-style';
function getParent() {
return doc.getElementsByTagName('head')[0];
}
function addStyle(parent, id, def) {
if (!parent) {
return;
}
var style = doc.createElement('style');
style.id = id;
style.innerHTML = def;
parent.appendChild(style);
}
function removeStyle(parent, id) {
if (!parent) {
return;
}
var style = doc.getElementById(id);
if (!style) {
return;
}
parent.removeChild(style);
}
addStyle(getParent(), STYLE_ID, style);
setTimeout(function() {
removeStyle(getParent(), STYLE_ID);
}, timeout);
}(window, document, "body {visibility:hidden !important}", 3000));
</script>

<script src="//assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script>
<script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script>
  

<script type="text/javascript">
    var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./);
if(isIE11){
    var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/polyfill.min.js';
    document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>');

}
    /**
 * String.prototype.replaceAll() polyfill
 * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/
 * @author Chris Ferdinandi
 * @license MIT
 */
if (!String.prototype.replaceAll) {
	String.prototype.replaceAll = function(str, newStr){

		// If a regex pattern
		if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') {
			return this.replace(str, newStr);
		}

		// If a string
		return this.replace(new RegExp(str, 'g'), newStr);

	};
}


    /*! lozad.js - v1.16.0 - 2020-09-06 */
!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict";
/**
   * Detect IE browser
   * @const {boolean}
   * @private
   */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x
u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}});

</script>
<script type="text/javascript">
var webData =

{ 

   channel : "unit42", //Place the site section the user is in

   property : "unit42.paloaltonetworks.com", //Place domain or sub-domain

   pageType : "blogs",

   language : "en_us",

   pageName : "unit42:Chinese Alloy Taurus Updates PingPull Malware", //Place the page name the user is viewing - every page needs a unique page name

   pageURL : "https://unit42.paloaltonetworks.com/alloy-taurus/" //Place the url the user is viewing with no parameters

}
webData.resourceAssetID = "fd8a25bc5f4150293a6449cf9706d092";
if(sessionStorage.getItem("container") && webData){
	webData.container=sessionStorage.getItem("container");
}

</script>
</head>
  <body class="post-template-default single single-post postid-127879 single-format-standard">
    <!--[if IE]>
      <div class="alert alert-warning">
        You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade your browser</a> to improve your experience.      </div>
    <![endif]-->
    <style type="text/css">
	.pan-page-alert {
		height: 60px;
	    width: 100%;
	    background-color: #f4f4f2;
	    text-align: center;
	    position: relative;
	    top: 0;
	    left: 0;
	    right: 0;
	    line-height: 20px;
	    display: flex;
	    align-items: center;
	    justify-content: space-between;
	    z-index: 999;
	    padding: 0;
	    display: none;
	}
	.pan-page-alert.open {
		display: flex;
		z-index: 1;
	}
	.pan-page-alert .pan-page-alert-text {
		flex-grow: 1;
	    color: #141414;
	    font-family: Decimal,Arial,"Helvetica Neue",Helvetica,sans-serif;
	    font-style: normal;
	    font-weight: 600;
	    line-height: 20px;
	}
	.pan-page-alert .pan-page-alert-text a {
		color: #bd4122;
		text-decoration: none;
		border-bottom: 2px solid #bd4122;
	}
	.pan-page-alert .pan-page-alert-close {
		margin: 0 15px;
		width: 24px;
		height: 24px;
		border-radius: 24px;
		background-size: contain;
		background-repeat: no-repeat;
		background-position: center;
		/**background-image: url(https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg);
		 * */
		border: 0;
		background-color: transparent;
	}
	
	@media(max-width: 1199.98px){
		.panClean .pan-page-alert .pan-page-alert-text {
			text-align: left;
			padding-left: calc(7.14285714vw + 15px);
		}
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 14px;
	    }
	}
	.productNav2021Component .btn-light i, .productNav2021Component .btn-outline-light i {
	    width: 20px;
	    height: 20px;
	    margin-left: 15px;
	    flex-grow: 0;
	    flex-shrink: 0;
	    display: inline-block;
	    background-size: contain;
	    background-position: center;
	    background-repeat: no-repeat;
	    background-image: url(https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg);
	}
	.productNav2021Component .btn-light, .productNav2021Component .btn-outline-light {
	    display: inline-flex;
	    align-items: center;
	    text-decoration: none;
	    max-width: 100%;
	    text-align: left;
	    background: 0;
	    color: #141414;
	    position: relative;
	}
	.productNav2021Component .btn-light:hover, .productNav2021Component .btn-outline-light:hover {
	    color: #7a7a7a;
	}
	.productNav2021Component .btn{
	   white-space: normal; 
	}
	.productNav2021Component .btn-light:hover i, .productNav2021Component .btn-outline-light:hover i{
	    opacity: .6;
	}
	@media(min-width: 1200px){
		.pan-page-alert .pan-page-alert-text {
	    	font-size: 16px;
	    }
	}
</style>

	<!--<div class="pan-page-alert pan-page-alert-light" id="info-alert-top1">
                <div class="pan-page-alert-text"><a href="https://www.paloaltonetworks.com/russia-ukraine-cyber-resources" target="_blank" style="color:#bd4122;border-color:#bd4122;" data-page-track="true" data-page-track-value="russiaukrainerapidresponse:unit42site:topnav:ticker">Protect Against Russia-Ukraine Cyber Activity</a></div>
		<button type="button" class="pan-page-alert-close" aria-label="page alert close">
            <svg width="12" height="12" viewBox="0 0 12 12" fill="none" xmlns="http://www.w3.org/2000/svg">
              <path d="M1 1L6 6M6 6L11 1M6 6L1 11M6 6L11 11" stroke="#727272" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
            </svg>
          </button>
    </div>
    <script type="text/javascript">
        
        //Hide/Show top ribbon
          if(localStorage.getItem('top_ribbon_closed') == null){
            document.getElementById('info-alert-top1').classList.add("open");            
          }
          
          $(".pan-page-alert-close").click(function(){
            $("#nav-mobile").css("top", "72px");
          });
          
        $(".pan-page-alert-close").click(function(){
        		$( "#nav-mobile" ).addClass( "add-nav-height" );
  		});
  
          $(document).on('click', '.pan-page-alert .pan-page-alert-close', function (ev) {            
		document.getElementById('info-alert-top1').classList.remove("open");            
		localStorage.setItem('top_ribbon_closed', "yes");
	});
          
    </script>-->
<header class="haeder py-15 position-relative z-index-2" style="display: none;">
  <div class="container px-sm-30 px-35">
    <div class="row">
      <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1">
                  <a href="https://www.paloaltonetworks.com/">
<!--<img src="/wp-content/uploads/2019/07/paloaltonetwork.svg" class="attachment-full size-full" alt="" height="43" width="124" />-->
<img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" />

</a>

      </div>

      <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit">
        <a href="https://unit42.paloaltonetworks.com/">
            <!--<img src="/wp-content/uploads/2019/07/unit42.svg" class="attachment-full size-full" alt="" height="35" width="105" />-->
            <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/images/svg/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo"  width="150" height="35"/>
        </a>
      </div>

      <div class="col-auto d-sm-none ml-auto mb-40 order-2">
        <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button>
      </div>

      <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3">
        <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30">
                      <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search">
                  </div>
      </div>

      <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5">
        <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button>
      </div>
    </div>
  </div>
</header>

<nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10"  style="display: none!important;">
  <div class="container px-sm-30">
    <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li>
<li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li>
<li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li>
<li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li>
<li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li>
</ul>  </div>
</nav>
<div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;">
    <div class="cleanHeader mainNavigationComp baseComponent parbase">
        <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"></div>

  </div>
<div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none  "></div>
</div>


</div>
<script type="text/javascript">
	function getCookie(cname) {
	 	var name = cname + "=";
  		var decodedCookie = decodeURIComponent(document.cookie);
		var ca = decodedCookie.split(';');
  		for(var i = 0; i <ca.length; i++) {
    			var c = ca[i];
    			while (c.charAt(0) == ' ') {
     				 c = c.substring(1);
    			}
    			if (c.indexOf(name) == 0) {
    				 return c.substring(name.length, c.length);
    			}
  		}
  		return "";
	}

	var referer = "";//sessionStorage.container;
	var pcontainer = sessionStorage.getItem("container");
	var searchResultsPagePath = "";
	/**
	if(document.location.host==='unit42.paloaltonetworks.com'){
		window.initialContainer = "Unit";
		window.supportedContainer = ["Prisma","Sase","Cortex","Unit"];
	}
	**/
	
	
	if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){
	    referer = 'Prisma' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){
	    referer = 'Cortex' ;
	}
        else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){
	    referer = 'Sase' ;
	}
	else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){
	    referer = 'Unit' ;
	}
	else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){
	    referer = 'Ngfw' ;
	}
        var fromRef = document.referrer;
	var nContainer = getCookie("navContainer");
        if(nContainer){//If user is coming from main site, we need to reset the container		
		if(fromRef  && fromRef.indexOf("prismacloud.io")!=-1){
                        referer = 'Prisma' ;
                        sessionStorage.setItem("container","Prisma");
                } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){
                        if(nContainer.indexOf('Prisma') != -1){
                            referer = 'Prisma' ;
                            sessionStorage.setItem("container","Prisma");
                        }
                        if(nContainer.indexOf('Cortex') != -1){
                            referer = 'Cortex' ;
                            sessionStorage.setItem("container","Cortex");
                        }
			if(nContainer.indexOf('Sase') != -1){
                            referer = 'Sase' ;
                            sessionStorage.setItem("container","Sase");
                        }
			if(nContainer.indexOf('Unit') != -1){
                            referer = 'Unit' ;
                            sessionStorage.setItem("container","Unit");
                        }
			if(nContainer.indexOf('Ngfw') != -1){
                            referer = 'Ngfw' ;
                            sessionStorage.setItem("container","Ngfw");
                        }
			document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString();
		}
	}
    //var referer = "Prisma";//sessionStorage.container;
        console.log("referer"+referer);
        if(referer != "Prisma" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw"){
	    		referer = 'Unit' ;
                sessionStorage.setItem("container","Unit");  		    
	  
        }
function callMainSitePrismaNavHTML(){
    
   //var menu_url = 'https://www.paloaltonetworks.com/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
   var referrer_domain = 'https://www.paloaltonetworks.com';
   sessionStorage.setItem("domain",referrer_domain);
   if(referer == 'Prisma'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html';
		searchResultsPagePath = referrer_domain+"/search/prismasearch";
	    }
    if(referer == 'Cortex'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html';	
	searchResultsPagePath = referrer_domain+"/search/cortexsearch";	
    }
    if(referer == 'Sase'){
        var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html';
	searchResultsPagePath = referrer_domain+"/search/sasesearch";
    }
    if(referer == 'Unit'){
        //var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderUnit.unitRenderer.html';
	var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/unit-nav-renderer.php';
	searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search";
    }
    if(referer == 'Ngfw'){
        //var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderNgfw.ngfwRenderer.html';
	var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/ngfw-cdss-nav-renderer.php';
	searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch";
    }
    httpGet(menu_url,'menu_html');
    document.getElementById('main-nav-menu-cont').removeAttribute("style");
}
function addStyle(styles) {
              
    /* Create style document */
    var css = document.createElement('style');
    css.type = 'text/css';

    if (css.styleSheet) 
        css.styleSheet.cssText = styles;
    else 
        css.appendChild(document.createTextNode(styles));

    /* Append style to the tag name */
    document.getElementsByTagName("head")[0].appendChild(css);
}
    function httpGet(theUrl,req_type)
    {
        if (window.XMLHttpRequest)
        {// code for IE7+, Firefox, Chrome, Opera, Safari
            xmlhttp=new XMLHttpRequest();
        }
        else
        {// code for IE6, IE5
            xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
        }
        xmlhttp.onreadystatechange=function()
        {
            if (xmlhttp.readyState==4 && xmlhttp.status==200)
            {
                //console.log();
                //return xmlhttp.responseText;
                
                if(req_type == 'menu_html'){
		    var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', '');

                    nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/');
		    nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content");
		                        
                    document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/');
		    
		    var lozad_back = document.getElementsByClassName('lozad-background');
		    Array.prototype.forEach.call(lozad_back, function(el) {
			// Do stuff here
			var el_back_img_path = el.getAttribute('data-background-image');
			var first_pos = el_back_img_path.indexOf("'");
			var last_pos = el_back_img_path.indexOf("'",first_pos+1);
			el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos);
			el.setAttribute("data-background-image",main_site_url+el_back_img_path);
		    });
                }
                if(req_type == 'head_inline_css'){
                    addStyle(xmlhttp.responseText);
                }
                //document.getElementsByTagName("header")[1].removeAttribute("style");
                //document.getElementsByTagName("header")[1].classList.add("light");
            }
        }
        xmlhttp.open("GET", theUrl, false );
        xmlhttp.send();    
    }    
    
    if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){
        const article = document.querySelector('#PAN_2021_NAV_ASYNC');
        if(referer == 'Prisma'){
            article.dataset.type = 'prisma';
	    $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned');
        }
        else if(referer == 'Cortex'){
            article.dataset.type = 'cortex';
        }
        else if(referer == 'Sase'){
            article.dataset.type = 'sase';
        }
	else if(referer == 'Unit'){
            article.dataset.type = 'unit';
        }
	else if(referer == 'Ngfw'){
            article.dataset.type = 'ngfw';
        }
	//set class to default
	if(referer == 'Unit' || referer == 'Ngfw'){
	   
	   $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned');
	}
        callMainSitePrismaNavHTML();        
    }
</script>


  <article class="article overflow-hidden">
    
<header class="article__header py-sm-25 pt-40 pb-25 bg-gray-700">
  <div class="container">
    
    <h1 class="article__header__title mb-sm-30 mb-40">Chinese Alloy Taurus Updates PingPull Malware</h1>

    <ul class="article__entry-meta d-flex flex-wrap align-items-center text-black">
      <li class="mr-10 mb-10 px-20 rounded-pill d-flex bg-gray-200"><div class="post-views content-post post-127879 entry-meta">
				<span class="post-views-count">4,870</span>
			</div> <span class="ml-5">people reacted</span></li>
      <li class="d-sm-none col-12 p-0"></li>
      <li class="mr-10 mb-10 px-20 rounded-pill bg-gray-200"><span class="ldc-ul_cont idc_ul_cont_not_liked_inner" onclick="alter_ul_post_values(this,'127879','like')"><i class="ui ui-2"></i><span class="ml-5">2</span></span></li>
      <li class="mb-10 px-20 rounded-pill bg-gray-200"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 6</span> <span class="rt-label rt-postfix"></span></span> min. read</li>
    </ul>

    <div class="article__share position-relative">
      <div class="dropdown dropdown-right">
        <button type="button" class="px-25 text-black bg-white text-uppercase rounded-pill" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Share <i class="ui ui-6 ml-10 align-text-top"></i>
        </button>
        <div class="dropdown-menu rounded-pill" role="toolbar">
          <div class="share-dropdown px-20 py-10 text-black font-size-sm">
            <div class="row align-items-center flex-nowrap">
              <div class="col">
                <div class="d-flex align-items-center">
                  <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Falloy-taurus%2F" target="_blank" aria-label="facebbok"><i class="ui ui-7"></i></a>
                  <a href="https://twitter.com/home?status=https%3A%2F%2Funit42.paloaltonetworks.com%2Falloy-taurus%2F+-+Chinese+Alloy+Taurus+Updates+PingPull+Malware" target="_blank" aria-label="twitter"><i class="ui ui-8"></i></a>
                  <a href="https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Funit42.paloaltonetworks.com%2Falloy-taurus%2F&title=Chinese+Alloy+Taurus+Updates+PingPull+Malware&summary=&source=" target="_blank" aria-label="linkedin"><i class="ui ui-9"></i></a>
                  <a href="//www.reddit.com/submit?url=https://unit42.paloaltonetworks.com/alloy-taurus/" target="_blank" aria-label="reddit"><i class="ui ui-10"></i></a>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div>
</header>    <div class="article__summary py-25 text-gray-500 font-size-sm">
  <div class="container">
    <div class="row align-items-center no-gutters">
      <div class="col-sm-auto col-12 mb-sm-0 mb-35">
        <i class="ui ui-11 text-gray-700 mr-sm-20"></i>
      </div>
  
      <div class="col-sm col-12">
        <p>
          By <a href="https://unit42.paloaltonetworks.com/author/unit42/" title="Posts by Unit 42" class="author url fn" rel="author">Unit 42</a>        </p>
        <p><time datetime="2023-04-26T10:00:34+00:00">April 26, 2023 at 3:00 AM</time></p>
        <p>Category: <a href="https://unit42.paloaltonetworks.com/category/malware-2/" rel="category tag">Malware</a></p>
        <p>Tags: <a href="https://unit42.paloaltonetworks.com/tag/advanced-url-filtering/" rel="tag">Advanced URL Filtering</a>, <a href="https://unit42.paloaltonetworks.com/tag/alloy-taurus/" rel="tag">Alloy Taurus</a>, <a href="https://unit42.paloaltonetworks.com/tag/apt/" rel="tag">APT</a>, <a href="https://unit42.paloaltonetworks.com/tag/china-chopper/" rel="tag">China Chopper</a>, <a href="https://unit42.paloaltonetworks.com/tag/cortex-xdr/" rel="tag">Cortex XDR</a>, <a href="https://unit42.paloaltonetworks.com/tag/cortex-xsiam/" rel="tag">Cortex XSIAM</a>, <a href="https://unit42.paloaltonetworks.com/tag/cortex-xsoar/" rel="tag">Cortex XSOAR</a>, <a href="https://unit42.paloaltonetworks.com/tag/dns-security/" rel="tag">DNS security</a>, <a href="https://unit42.paloaltonetworks.com/tag/gallium/" rel="tag">GALLIUM</a>, <a href="https://unit42.paloaltonetworks.com/tag/next-generation-firewall/" rel="tag">next-generation firewall</a>, <a href="https://unit42.paloaltonetworks.com/tag/pingpull/" rel="tag">PingPull</a>, <a href="https://unit42.paloaltonetworks.com/tag/wildfire/" rel="tag">WildFire</a></p>
      </div>
    </div>
  </div>
</div>    <div class="py-30 bg-white">
      <div class="container">
        <div class="article__content pb-30">
                      <figure class="mb-30 text-center">
              <img width="900" height="551" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/04/PA-Unit42-TAC-AlloyTAURUS_-Landscape.jpg" class="attachment-single size-single" alt="A pictorial representation of Alloy Taurus with a bull&#039;s head against the Taurus constellation in a night sky." decoding="async" loading="lazy" />            </figure>
                    <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: 
    <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/alloy-taurus/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><h2><a id="post-127879-_x8hwexnv5e63"></a>Executive Summary</h2>
<p>Unit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033.</p>
<p>The first samples of PingPull malware date back to September 2021. Monitoring its use across several campaigns, in June 2022 Unit 42 <a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank" rel="noopener">published research outlining the functionality of PingPull</a> and attributed the use of the tool to Alloy Taurus.</p>
<p>Operating since at least 2012, Alloy Taurus (aka GALLIUM, Softcell) is assessed to be a Chinese advanced persistent threat (APT) group that routinely conducts cyberespionage campaigns. This group has historically targeted telecommunications companies operating across Asia, Europe and Africa. In recent years we have also observed the group expand their targeting to include financial institutions and government entities.</p>
<p>We provide a detailed breakdown of the following:</p>
<ul>
<li>A new variant of PingPull</li>
<li>Sword2033 samples linked to the same command and control (C2) infrastructure</li>
<li>Recent activity by Alloy Taurus in South Africa and Nepal</li>
</ul>
<p>Palo Alto Networks customers receive protections from the threats described in this blog through <a href="https://docs-cortex.paloaltonetworks.com/p/XDR" target="_blank" rel="noopener">Cortex XDR</a> and <a href="https://docs.paloaltonetworks.com/wildfire" target="_blank" rel="noopener">WildFire</a> malware analysis. The <a href="https://docs.paloaltonetworks.com/advanced-url-filtering/administration" target="_blank" rel="noopener">Advanced URL Filtering</a> and <a href="https://docs.paloaltonetworks.com/dns-security" target="_blank" rel="noopener">DNS Security</a> <a href="https://docs.paloaltonetworks.com/cdss" target="_blank" rel="noopener">Cloud-Delivered Security Services</a> can help protect against C2 infrastructure.</p>
<table style="width: 100%;">
<thead>
<tr>
<td style="width: 35%;"><b>Related Unit 42 Topics</b></td>
<td style="width: 100%;"><a href="https://unit42.paloaltonetworks.com/tag/alloy-taurus/" target="_blank" rel="noopener"><b>Alloy Taurus</b></a>, <strong><a href="https://unit42.paloaltonetworks.com/tag/pingpull/" target="_blank" rel="noopener">PingPull</a>, <a href="https://unit42.paloaltonetworks.com/tag/apt">Advanced Persistent Threat</a></strong></td>
</tr>
</thead>
</table>
<h2><a id="post-127879-_d07s5qswsv7d"></a>Table of Contents</h2>
<p><a href="#post-127879-_wven14kmgum2">PingPull Linux Variant</a><br />
<a href="#post-127879-_6a2n9d2thlsu">Sword2033 Backdoor</a><br />
<a href="#post-127879-_64cvk1lfylwy">Infrastructure Analysis</a><br />
<a href="#post-127879-_2an8ryq91inv">Conclusion</a><br />
<a href="#post-127879-_c0e33m7stckx">Protections and Mitigations</a><br />
<a href="#post-127879-_t1bewtxkw37">Indicators of Compromise</a><br />
<a href="#post-127879-_570cbe1pdhwx">Additional Resources</a></p>
<h2><a id="post-127879-_wven14kmgum2"></a>PingPull Linux Variant</h2>
<p>On March 7, 2023, the following sample was uploaded to VirusTotal.</p>
<table>
<tbody>
<tr>
<td><b>Filename</b></td>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">nztloader</span></td>
</tr>
<tr>
<td><b>Filetype</b></td>
<td><span style="font-weight: 400;">ELF</span></td>
</tr>
<tr>
<td><b>SHA256</b></td>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae</span></td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><span style="font-size: 8pt; color: #999999;"><em>Table 1. PingPull sample file details.</em></span></p>
<p>At the time of writing, three out of 62 vendors found the sample to be malicious. Despite a largely benign verdict, additional analysis has determined that this sample is a Linux variant of PingPull malware. This determination was made based on matching HTTP communication structure, POST parameters, AES key, and C2 commands, which are outlined below.</p>
<p>Upon execution, this sample is configured to communicate with the domain <span style="font-family: 'courier new', courier, monospace;">yrhsywu2009.zapto[.]org</span> over port 8443 for C2. It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over HTTPS via the following HTTP POST request:</p>
<figure id="attachment_127900" aria-describedby="caption-attachment-127900" style="width: 600px" class="wp-caption aligncenter"><img decoding="async" class="wp-image-127900" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/04/word-image-127879-1-1.png" alt="Image 1 is the HTTP post request for the PingPull Linux variant. It includes the content type, user agent, host, content, length, and cache control." width="600" height="179" /><figcaption id="caption-attachment-127900" class="wp-caption-text">Figure 1. PingPull Linux variant POST request.</figcaption></figure>
<p>The payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with AES using <span style="font-family: 'courier new', courier, monospace;">P29456789A1234sS</span> as the key. This is the same key that we previously observed in the original Windows PE variant of PingPull.</p>
<p>Once decoded, the cleartext resembles HTTP parameters and the payload will parse the cleartext for <span style="font-family: 'courier new', courier, monospace;">&amp;</span> and <span style="font-family: 'courier new', courier, monospace;">=</span> with the following parameters:</p>
<figure id="attachment_127902" aria-describedby="caption-attachment-127902" style="width: 600px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127902" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/04/word-image-127879-2-1.png" alt="Image 2 a screenshot of the PingPull HTTP parameters." width="600" height="109" /><figcaption id="caption-attachment-127902" class="wp-caption-text">Figure 2. PingPull HTTP parameters.</figcaption></figure>
<p>The value in the <span style="font-family: 'courier new', courier, monospace;">P29456789A1234sS</span> parameter will contain a single upper case character between A and K, as well as M, which the payload will use as the command value. The values in the <span style="font-family: 'courier new', courier, monospace;">z0</span>, <span style="font-family: 'courier new', courier, monospace;">z1</span> and <span style="font-family: 'courier new', courier, monospace;">z2</span> parameters are used for the arguments passed to the command.</p>
<p>After running the command, the payload will send the results back to the C2 server via an HTTPS request that resembles the beacon request, but contains Base64 encoded ciphertext. The command handler supports the following functionality that aligns with both China Chopper capabilities and those observed in the PingPull Windows PE variant:</p>
<table style="width: 88.1336%;">
<thead>
<tr>
<td style="width: 15.6667%;"><b>Cmd</b></td>
<td style="width: 92.9834%;"><b>Description</b></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">A</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Get the current directory</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">B</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">List folder</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">C</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Read text file</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">D</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Write text file</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">E</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Delete file or folder</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">F</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Read binary file, convert to hex</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">G</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Write binary file, convert to hex</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">H</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Copy file or folder</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">I</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Rename file</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">J</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Create Directory</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">K</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Timestomp file with specified timestamp in "<span style="font-family: 'courier new', courier, monospace;">%04d-%d-%d %d:%d:%d</span>" format</span></td>
</tr>
<tr>
<td style="width: 15.6667%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">M</span></td>
<td style="width: 92.9834%;"><span style="font-weight: 400;">Run command</span></td>
</tr>
</thead>
</table>
<p style="text-align: center;"><span style="color: #999999; font-size: 8pt;"><em>Table 2. PingPull command handler functionality.</em></span></p>
<p>Of note, the HTTP parameters <span style="font-family: 'courier new', courier, monospace;">z0</span>, <span style="font-family: 'courier new', courier, monospace;">z1</span> and <span style="font-family: 'courier new', courier, monospace;">z2</span> and command handlers <span style="font-family: 'courier new', courier, monospace;">A-K</span>, <span style="font-family: 'courier new', courier, monospace;">M</span> also align to commands <span style="font-family: 'courier new', courier, monospace;">A-K</span>, <span style="font-family: 'courier new', courier, monospace;">M</span> observed in the web shell China Chopper. This suggests that Alloy Taurus is using code they might be familiar with, and they are integrating it into the development of custom tooling.</p>
<h2><a id="post-127879-_6a2n9d2thlsu"></a>Sword2033 Backdoor</h2>
<p>Pivoting on the C2 domain, we identified one additional sample that also communicated with <span style="font-family: 'courier new', courier, monospace;">yrhsywu2009.zapto[.]org</span>:</p>
<table>
<tbody>
<tr>
<td colspan="2"><b>Sword2033 Sample 1</b></td>
</tr>
<tr>
<td><b>Filename</b></td>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">zimbra</span></td>
</tr>
<tr>
<td><b>Filetype</b></td>
<td><span style="font-weight: 400;">ELF</span></td>
</tr>
<tr>
<td><b>SHA256</b></td>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507</span></td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><span style="color: #999999; font-size: 8pt;"><em>Table 3. Related Sword2033 sample file details.</em></span></p>
<p>Similar to the PingPull variant above, this sample was designed to connect to port 8443 over HTTPS. However, analysis of the sample revealed that it’s a simple backdoor that we track as Sword2033. This backdoor supports three basic functions:</p>
<table style="width: 93.2941%;">
<tbody>
<tr>
<td style="width: 13.1852%;"><b>Cmd</b></td>
<td style="width: 89.4872%;"><b>Description</b></td>
</tr>
<tr>
<td style="width: 13.1852%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">#up</span></td>
<td style="width: 89.4872%;"><span style="font-weight: 400;">Uploads a file to the system</span></td>
</tr>
<tr>
<td style="width: 13.1852%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">#dn</span></td>
<td style="width: 89.4872%;"><span style="font-weight: 400;">Downloads a file from the system</span></td>
</tr>
<tr>
<td style="width: 13.1852%;"><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">exc /c:</span></td>
<td style="width: 89.4872%;"><span style="font-weight: 400;">Executes a command, but appends </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">;echo &lt;random number&gt;\n</span><span style="font-weight: 400;"> before running it</span></td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><span style="color: #999999; font-size: 8pt;"><em>Table 4. Sword2033 command handler functionality.</em></span></p>
<p>These three commands map to commands in a second command handler that uses <span style="font-family: 'courier new', courier, monospace;">A</span>, <span style="font-family: 'courier new', courier, monospace;">C</span>, <span style="font-family: 'courier new', courier, monospace;">D</span> and <span style="font-family: 'courier new', courier, monospace;">M</span> commands, which are identical in value and functionality with the PingPull commands identified in Table 2 above.</p>
<p>Searching for other recent samples of Sword2033, we identified a second sample:</p>
<table>
<tbody>
<tr>
<td colspan="2"><b>Sword2033 Sample 2</b></td>
</tr>
<tr>
<td><b>Filename</b></td>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">Hopke</span></td>
</tr>
<tr>
<td><b>Filetype</b></td>
<td><span style="font-weight: 400;">ELF</span></td>
</tr>
<tr>
<td><b>SHA256</b></td>
<td><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253</span></td>
</tr>
</tbody>
</table>
<p style="text-align: center;"><span style="font-size: 8pt; color: #999999;"><em>Table 5. Additional Sword2033 sample file details.</em></span></p>
<p>This sample was seen in July 2022. Analysis of this sample revealed that it’s configured to connect to <span style="font-family: 'courier new', courier, monospace;">196.216.136[.]139</span>, located in South Africa, for C2.</p>
<h2><a id="post-127879-_64cvk1lfylwy"></a>Infrastructure Analysis</h2>
<p>Analysis of the C2 domain <span style="font-family: 'courier new', courier, monospace;">yrhsywu2009.zapto[.]org</span> found in the PingPull Linux variant and the first Sword2033 sample shows it was most recently hosted on <span style="font-family: 'courier new', courier, monospace;">5.181.25[.]99</span> until early February 2023. However, a historical review of its hosting revealed that this domain resolved to <span style="font-family: 'courier new', courier, monospace;">45.251.241[.]82</span> for a single day in April 2022. This IP was outlined as an active indicator of compromise (IoC) in <a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank" rel="noopener">our June 2022 report</a>, thereby drawing a clear link to Alloy Taurus activities.</p>
<p>Analysis of the C2 for the second Sword2033 sample (<span style="font-family: 'courier new', courier, monospace;">Hopke</span>, referenced in Table 5) found that the domain <span style="font-family: 'courier new', courier, monospace;">*.saspecialforces.co[.]za</span> resolved to <span style="font-family: 'courier new', courier, monospace;">196.216.136[.]139</span>. This domain has been hosted on eight other IPs throughout its history with various mail-related subdomains.</p>
<p><span style="font-weight: 400;">None of these IPs appear to have any affiliation with the South African government, but the domain name gives the impression of a connection to the South African military. The establishment of a C2 server that appears to impersonate the South African military is uniquely notable when analyzed in the context of recent events.</span> In February 2023, South Africa joined Russia and China to participate in <a href="https://www.bbc.com/news/world-64380572" target="_blank" rel="noopener">combined naval exercises</a>.</p>
<p>Additionally, <span style="font-family: 'courier new', courier, monospace;">196.216.136[.]139</span> resolved to <span style="font-family: 'courier new', courier, monospace;">vpn729380678.softether[.]net</span> from late December 2022 through mid-February 2023. Alloy Taurus is known for leveraging the SoftEther VPN service in their operations to facilitate access and maintain persistence to their targeted network.</p>
<p>Threat actors often abuse, take advantage of or subvert legitimate products like SoftEther VPN for malicious purposes. This does not necessarily imply a flaw or malicious quality to the legitimate product being abused.</p>
<figure id="attachment_127904" aria-describedby="caption-attachment-127904" style="width: 900px" class="wp-caption aligncenter"><img decoding="async" loading="lazy" class="wp-image-127904" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2023/04/word-image-127879-3-1.png" alt="Image 3 is a diagram of the infrastructure of PingPull/Sword2033 including samples 1 and 2 of Sword2033. " width="900" height="667" /><figcaption id="caption-attachment-127904" class="wp-caption-text">Figure 3. PingPull/Sword2033 infrastructure visualization.</figcaption></figure>
<p>Reviewing traffic to the Sword2033 C2 server <span style="font-family: 'courier new', courier, monospace;">196.216.136[.]139</span>, we identified sustained connections originating from an IP that hosts several subdomains for an organization that finances long-term urban infrastructure development projects in Nepal.</p>
<h2><a id="post-127879-_2an8ryq91inv"></a>Conclusion</h2>
<p>Alloy Taurus remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa. The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities. We encourage all organizations to leverage our findings to inform the deployment of protective measures to defend against this threat group.</p>
<p>Palo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the <a href="https://www.cyberthreatalliance.org" target="_blank" rel="noopener">Cyber Threat Alliance</a>.</p>
<h2><a id="post-127879-_gnhglhq15l65"></a>Protections and Mitigations</h2>
<p>In order to defend against the threats described in this blog, Palo Alto Networks recommends organizations employ the following capabilities:</p>
<ul>
<li>Network Security: Delivered through a Next-Generation Firewall (NGFW) configured with machine learning enabled, and best-in-class, cloud-delivered security services. This includes, for example, threat prevention, URL filtering, DNS security and a malware prevention engine capable of identifying and blocking malicious samples and infrastructure.</li>
<li>Endpoint Security: Delivered through an XDR solution that is capable of identifying malicious code through the use of advanced machine learning and behavioral analytics. This solution should be configured to act on and block threats in real time as they are identified.</li>
<li>Security Automation: Delivered through an XSOAR or XSIAM solution capable of providing SOC analysts with a comprehensive understanding of the threat derived by stitching together data obtained from endpoints, network, cloud and identity systems.</li>
</ul>
<h3><a id="post-127879-_c0e33m7stckx"></a>Specific Product Protections and Mitigations</h3>
<p>For Palo Alto Networks customers, our products and services provide the following coverage associated with this group:</p>
<ul>
<li><a href="https://docs.paloaltonetworks.com/wildfire" target="_blank" rel="noopener">WildFire</a> cloud-based threat analysis service accurately identifies the malware described in this blog as malicious.</li>
<li><a href="https://docs.paloaltonetworks.com/advanced-url-filtering/administration" target="_blank" rel="noopener">Advanced URL Filtering </a>and <a href="https://docs.paloaltonetworks.com/dns-security" target="_blank" rel="noopener">DNS Security</a> identify domains associated with Alloy Taurus as malicious.</li>
<li><a href="https://docs-cortex.paloaltonetworks.com/p/XDR" target="_blank" rel="noopener">Cortex XDR</a> prevents the execution of known malware samples as malicious.</li>
</ul>
<p>If you think you may have been compromised or have an urgent matter, get in touch with the <a href="https://start.paloaltonetworks.com/contact-unit42.html" target="_blank" rel="noopener">Unit 42 Incident Response team</a> or call:</p>
<ul>
<li>North America Toll-Free: 866.486.4842 (866.4.UNIT42)</li>
<li>EMEA: +31.20.299.3130</li>
<li>APAC: +65.6983.8730</li>
<li>Japan: +81.50.1790.0200</li>
</ul>
<h2><a id="post-127879-_t1bewtxkw37"></a>Indicators of Compromise</h2>
<p>PingPull Linux Variant</p>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae</span></li>
</ul>
<p>Sword2033</p>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253</span></li>
</ul>
<p>Alloy Taurus Infrastructure</p>
<ul>
<li><span style="font-family: 'courier new', courier, monospace;">yrhsywu2009.zapto[.]org</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">*.saspecialforces.co[.]za</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">vpn729380678.softether[.]net</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">5.181.25[.]99</span></li>
<li><span style="font-family: 'courier new', courier, monospace;">196.216.136[.]139</span></li>
</ul>
<h2><a id="post-127879-_570cbe1pdhwx"></a>Additional Resources</h2>
<ul>
<li><a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank" rel="noopener">GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool</a>, Unit 42, Palo Alto Networks</li>
<li><a href="https://attack.mitre.org/groups/G0093/" target="_blank" rel="noopener">GALLIUM</a>, MITRE</li>
<li><a href="https://www.cybereason.com/blog/research/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" rel="noopener">Operation Soft Cell: A Worldwide Campaign Against Telecommunications Provider</a>, CyberReason</li>
<li><a href="https://www.microsoft.com/en-us/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" rel="noopener">GALLIUM: Targeting global telecom</a>, Microsoft Threat Intelligence Center (MSTIC)</li>
</ul>
          <div class="article__subscribe mb-40 text-gray-400 bg-gray-200 rounded-lg">
  <h4 class="h3 mb-10 text-black">Get updates from <br class="d-sm-none"> Palo Alto<br class="d-sm-none"> Networks!</h4>
  <p>Sign up to receive the latest news, cyber threat intelligence and research from us</p>
  <!-- <form action="https://app-guse4001.marketo.com/index.php/leadCapture/save2" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe"> -->
  <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form py-25" name="Unit42_Subscribe">
    <input type="hidden" name="emailFormMask" value="">
    <input type="hidden" value="1086" name="formid">
    <!-- <input type="hidden" value="818-CZC-273" name="munchkinId"> -->
    <input type="hidden" value="531-OCS-018" name="munchkinId">
    <input type="hidden" value="2141" name="lpId">
	<input type="hidden" value="1203" name="programId">  
    <input type="hidden" value="1086" name="formVid">
    <input type="hidden" name="mkto_optinunit42" value="true">
    <input type="hidden" name="mkto_opt-in" value="true">
    <div class="row">
      <div class="col-sm col-12 mb-sm-0 mb-15">
        <input type="email" name="Email" placeholder="Email address" class="subscribe-field d-block w-100 px-sm-25 px-15 bg-white" aria-label="Email">
        <p class="error-mail d-none mt-15 text-danger" style="color: #dc3545">Please enter your email address!</p>
      </div>
      <div class="col-sm-auto col-12">
          <input type="submit" value="Subscribe" class="btn btn--black btn--sm w-100" disabled="disabled">
      </div>
    </div>

    <div class="google-recapth mt-15">
      <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
      <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Please mark, I'm not a robot!</p>
    </div>
  </form>

  <div class="font-size-ex-sm col-sm-7 p-0">
    <p>By submitting this form, you agree to our <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a> and acknowledge our <a href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy Statement</a>.</p>
  </div>
</div>


        </div>
      </div>
    </div>
  </article>
<footer class="site-footer px-sm-0 px-15">
  <div class="pt-40">
    <div class="container pt-sm-30">
      <div class="row justify-content-lg-center">
        <div class="col-lg-11 col-12">
          <div class="row">
            <div class="col-lg-4 col-sm-3 col-12 order-sm-2">
              <nav class="footer-socials mb-sm-0 mb-25 text-white text-sm-right" aria-label="Footer Socials">
                                                <a href="https://twitter.com/Unit42_Intel" target="_blank" aria-label="Twitter"><span class="ui ui-4"></span></a>
                <a href="https://github.com/pan-unit42" target="_blank" aria-label="Github"><span class="ui ui-5"></span></a>
              </nav>
            </div>

            <div class="col-lg-8 col-sm-9 col-12 order-sm-1">
              <div class="row">
                <div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Popular Resources</h4><div class="menu-footer-company-phase-container"><ul id="menu-footer-company-phase" class="menu"><li id="menu-item-97096" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97096"><a target="_blank" href="https://www.paloaltonetworks.com/resources">Resource Center</a></li>
<li id="menu-item-97097" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97097"><a target="_blank" href="https://www.paloaltonetworks.com/blog/">Blog</a></li>
<li id="menu-item-97098" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97098"><a target="_blank" href="https://www.paloaltonetworks.com/communities">Communities</a></li>
<li id="menu-item-97099" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97099"><a target="_blank" href="https://docs.paloaltonetworks.com/">Tech Docs</a></li>
<li id="menu-item-97100" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-97100"><a href="https://unit42.paloaltonetworks.com/">Unit 42</a></li>
<li id="menu-item-97101" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97101"><a target="_blank" href="https://www.paloaltonetworks.com/sitemap">Sitemap</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Legal Notices</h4><div class="menu-footer-legal-notices-phase-container"><ul id="menu-footer-legal-notices-phase" class="menu"><li id="menu-item-97093" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97093"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/privacy">Privacy</a></li>
<li id="menu-item-97094" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97094"><a target="_blank" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use">Terms of Use</a></li>
<li id="menu-item-97095" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97095"><a target="_blank" href="https://www.paloaltonetworks.com/legal">Documents</a></li>
</ul></div></div><div class="col-sm col-12 footer-widget widget_nav_menu"><h4 class="h6 mb-15 font-weight-black">Account</h4><div class="menu-footer-trending-topics-phase-container"><ul id="menu-footer-trending-topics-phase" class="menu"><li id="menu-item-97102" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97102"><a href="https://start.paloaltonetworks.com/preference-center">Manage Subscriptions</a></li>
<li id="menu-item-97103" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97103"><a href="#" aria-label="menu-item">&nbsp;</a></li>
<li id="menu-item-97104" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-97104"><a href="https://www.paloaltonetworks.com/security-disclosure">Report a Vulnerability</a></li>
</ul></div></div>              </div>
            </div>
          </div>

          
            <div class="copyrights py-25 mt-40">
               <p>© 2023 Palo Alto Networks, Inc. All rights reserved.</p>
            </div>
          
        </div>
      </div>
    </div>
  </div>
</footer>
<form method="post">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="6c385eb02a" /><input type="hidden" name="_wp_http_referer" value="/alloy-taurus/" /></form>
<script type="text/javascript">
    const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad'
      observer_lozad.observe();
        if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){
	var Coveo_organizationId = "paloaltonetworksintranet";        
        var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25";
        var languageFromPath="en_US";
        window.Granite = window.Granite || {};
	Granite.I18n = (function() {
		var self = {};
		self.setLocale = function(locale) { };
		self.get = function(text, snippets, note) {
        	var out = "";
        	if(text){
        		if(text ==="coveo.clear"){
        			out = "Clear";
        		}else if(text ==="coveo.noresultsfound"){
        			out = "No results found for this search term.";
        		}
        	}
        	return out;
        };
        return self
	}());
}
/*
    var Coveo_organizationId = "paloaltonetworksintranetsandbox1";
    var searchResultsPagePath = "https://www.paloaltonetworks.com/search/prismasearch";
    var techDocsPagePath = "https://docs.paloaltonetworks.com/search";
    var languageFromPath="en_US";
    */
       	var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js';
	var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js';
	var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js';
	var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js';
        window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html";

function loadScript(url, defer){
        var script1 = document.createElement('script');
        script1.setAttribute('type', 'text/javascript');
        script1.setAttribute('src',url);
        if(defer == true){
            script1.setAttribute('defer','defer');
        }
        document.head.appendChild(script1);
}
function loadScript1(url, callback){

        var script = document.createElement("script")
        script.type = "text/javascript";

        if (script.readyState){  //IE
            script.onreadystatechange = function(){
                if (script.readyState == "loaded" || script.readyState == "complete"){
                    script.onreadystatechange = null;
                    callback();
                }
            };
        } else {  //Others
            script.onload = function(){
                callback();
            };
        }

        script.src = url;
        document.getElementsByTagName("head")[0].appendChild(script);
}
if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){
	if(referer == "Unit"){
		loadScript(main_site_criticalTopBase, false);
		loadScript1(main_site_criticalTopProductNav, function(){
			window.PAN_initializeProduct2021Nav();
		});
		loadScript(main_site_defered, false);
	}
	else{
		loadScript1(main_site_critical_top, function(){
			window.PAN_initializeProduct2021Nav();
		});
		loadScript(main_site_defered, false);
	}
}
</script>
    <script type="text/javascript">
	var isProcessing = false; 
    function alter_ul_post_values(obj,post_id,ul_type){
	
		if (isProcessing)    
		return;  
		isProcessing = true;   
		var like_nonce = jQuery('#_wpnonce').val();
		jQuery(obj).find("span").html("..");
                jQuery.ajax({
                    type: "POST",
                    url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php",
                    data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce,
                    success: function(msg){
                            jQuery(obj).find("span").html(msg);
                            isProcessing = false; 
                            jQuery(obj).find('svg').children('path').attr('stroke','#0050FF');
                            jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner');
                    }
 		});
	}
	</script>
    <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='wpdevart_lightbox_effects-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/effects_lightbox.css?ver=6.1.1' type='text/css' media='all' />
<script type='text/javascript' id='ppress-frontend-script-js-extra'>
/* <![CDATA[ */
var pp_ajax_form = {"ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","confirm_delete":"Are you sure?","deleting_text":"Deleting...","deleting_error":"An error occurred. Please try again.","nonce":"131e7143ea","disable_ajax_form":"false","is_checkout":"0","is_checkout_tax_enabled":"0"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/wp-user-avatar/assets/js/frontend.min.js?ver=4.4.1' id='ppress-frontend-script-js'></script>
<script type='text/javascript' src='https://www.google.com/recaptcha/api.js' id='google/api-js'></script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v5/dist/scripts/main.js' id='unit42/js-js'></script>
<script type='text/javascript' id='wpdevart_lightbox_front_end_js-js-extra'>
/* <![CDATA[ */
var wpdevart_lb_variables = {"eneble_lightbox_content":"enable","overlay_transparency_prancent":"80","enable_video_popuping":"enable","popup_background_color":"#000000","popup_loading_image":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/popup_loading.png","popup_initial_width":"350","popup_initial_height":"300","popup_youtube_width":"640","popup_youtube_height":"410","popup_vimeo_width":"500","popup_vimeo_height":"410","popup_max_width":"5000","popup_max_height":"5000","popup_position":"5","popup_fixed_position":"true","popup_outside_margin":"0","popup_border_width":"2","popup_border_color":"#000000","popup_border_radius":"10","control_buttons_show":"true","control_buttons_show_in_content":"false","control_buttons_height":"30","control_buttons_line_bg_color":"#000000","control_button_prev_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev.png","control_button_prev_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/prev_hover.png","control_button_next_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next.png","control_button_next_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/next_hover.png","control_button_download_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download.png","control_button_download_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/download_hover.png","control_button_innewwindow_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow.png","control_button_innewwindow_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/innewwindow_hover.png","control_button_fullwidth_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth.png","control_button_fullwidht_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidth_hover.png","control_button_fullwidthrest_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset.png","control_button_fullwidhtrest_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/fullwidthreset_hover.png","control_button_close_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close.png","control_button_close_hover_img_src":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/plugins\/lightbox-popup\/images\/contorl_buttons\/close_hover.png","information_panel_show":"false","information_panel_padding_top":"0","information_panel_padding_bottom":"0","information_panel_show_in_content":"false","information_panel_bg_color":"#000000","information_panel_default_transparency":"100","information_panel_hover_trancparency":"100","information_panel_count_image_after_text":"Image","information_panel_count_image_middle_text":"of","information_panel_count_padding_left":"15","information_panel_count_padding_right":"4","information_panel_count_font_size":"20","information_panel_desc_padding_left":"15","information_panel_desc_padding_right":"4","information_panel_desc_font_size":"20","information_panel_desc_show_if_not":"true","information_panel_text_for_no_caption":"No Caption","information_panel_title_padding_left":"5","information_panel_title_padding_right":"5","information_panel_title_font_size":"15","information_panel_title_show_if_not":"true","information_panel_text_for_no_title":"No Title","information_panel_ordering":"{\"count\":[1,\"count\"],\"title\":[0,\"title\"],\"caption\":[0,\"caption\"]}"};
/* ]]> */
</script>
<script type='text/javascript' src='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/javascript/wpdevart_lightbox_front.js?ver=1.0' id='wpdevart_lightbox_front_end_js-js'></script>
          
  </body>
</html>
